Ubiquiti: The Next Generation

February 2, 2026 |   |  Comment  |  Uncategorized

(Apologies, this was stuck in the draft queue for a hot minute, I mean, year… )

OK, so it’s been a few months since my original post about the new generation of Ubiquiti gear, but in that time I started a new job that has me traveling every other week, and so I’ve been swamped with work and less time to work on my home network. But I finally got a week off and performed the long-awaited overhaul to the home network and the lab.

My existing Aruba InstantON network (Wifi 6, 3x AP22 and 1xAP11D, and a 1930 switch) was beginning to be problematic and requiring everything to be rebooted periodically for the wifi to keep working happily. I was also having some issues with my IoT devices communicating with their motherships through the OPNsense gateway I was using (because using the InstantON AP11D as a router is… not great). And since I now have multiple devices that support 6GHz, I decided it was time to take all that out and put in the shiny new Wifi 7 gear that Ubiquiti sent me back in May.

Now, I was already quite familiar with Unifi, having deployed a considerable amount of it over the years, and my current job has me deploying Ubiquiti 60GHz gear. Since the Wifi was Layer 2 only, the first thing I did was deploy the Dream Machine Pro SE. I racked it, plugged it in to power, and into one of the ports on my ISP hardware. Provisioning the system with the mobile app on my iPhone was quick and easy, and I was able to replicate the multiple VLANs and subnets I had on the OPNsense box. once I validated that they were working correctly, I moved the InstantON switch uplink from the OPNsense box to the Dream Machine. This transition was almost completely seamless, because the DHCP server on the Dream Machine will ping any IP address being requested by a client before issuing it, to prevent duplicate IPs.

So at this point, I’ve got the core of the network and the routing moved over to the Ubiquiti gateway. Since the InstantON wifi and switch weren’t handling anything at Layer 3, they didn’t really notice anything different. Everything was humming along smoothly. Next step was to deploy the 24-port Pro Max switch. The Pro Max line supports 2.5 Gigabit Ethernet (although only on 8 ports) and PoE++ (on 16 ports). Downside: It’s not readily apparent from looking at the unit which ports are 2.5G (17-24, and identified by a very small gray bar below the ports that blends in to the chassis metal color).

But these switches also support Ubiquiti’s EtherLighting, which has an RGB LED located inside the port and shines out through clear patch cable ends and boots. I had suggested/requested something like this from another switch vendor over a decade ago, but it was dismissed as “not useful, because colorless ports are the future”. I’m here to tell you that not only does this make the switches look really freaking cool, but it’s also very useful in that the color can be configured to show either the link speed or the native VLAN on the port. It would be nice if there were additional options such as PoE status/draw, traffic utilization, or simply just make them whatever color I want. It shows this color on the status lights of the SFP+ ports as well. Sadly, the Dream Machine does not have this feature, and its 8 ports are only gigabit.

Once the switch got provisioned, I started moving stuff over from the InstantON switch, after a quick provisioning of the ports for the IoT network, and then moved the AP patches over to the 2.5G PoE++ ports. One thing I noticed was that my LG washer and dryer, which had lost their connection during a power outage and never were able to recover it (they were able to connect to the LAN, but not their notoriously flaky backend cloud service), both came online in the app, suggesting that there was something in the routing or firewall on OPNsense that was blocking them from reaching their mothership.

Other IOT stuff (most of which is wired) was popping up in the UniFi dashboard right away, and the system was correctly identifying the types of device. It knew what my Hue bridge and Lutron bridge were without any additional configuration. There’s some device fingerprinting going on there that seems to be quite good.

And then the last step, once the AP ports were repatched to the switch, was to go upstairs and do the AP swap. At least for the two I had APs for. Ubiquiti’s included mounting plate is vastly better than the mounting option on the InstantOn, which is a badly rehashed version of Aruba’s 2XX and 3XX mounting solution. The Ubiquiti mounting plate is metal and predrilled for a 3.5″ round electrical box, which is what one of the locations terminates to, and which I will be installing at the other fairly soon. A quick swap of those APs and removal of the AP11D in the living room, and they were quickly provisioned and running.

Once the APs were up, it was time for the requisite speed test, and while my internet connection is nominally 500 Mbps, Ubiquiti’s hardware and Wifiman app allow for a local speed test. The new 6GHz capability was quickly in evidence, and ridiculously fast.

Going Serverless: Office 365

January 11, 2017 |   |  Comment  |  Church IT, Cloud Computing, IT

Recently I just completed a project for a small church in Kansas. Several months ago, the senior pastor asked me for a quote on a Windows server to provide authentication as well as file and print share services. During the conversation, a few things became clear:

  1. Their desktop infrastructure was completely on Windows 10. Files were being kept locally or in a shared OneDrive account.
  2. The budget they had for this project was not going to allow for a proper server infrastructure with data protection, etc.
  3. This church already uses a web-based Church Management System, so they’re somewhat used to “the cloud” already as part of their workflows.

One of the key features provided by Windows 10 was the ability to use Office 365 as a login to your desktop (Windows 8 allowed it against a Microsoft Live account). Another is that for churches and other nonprofits, Office 365 is free of charge for the E2 plan.

I set about seeing how we could go completely serverless and provide access not only to the staff for shared documents, but also give access to key volunteer teams and church committees.

The first step was to make sure everybody was on Windows 10 Pro (we found a couple of machines running Windows 10 Home). Tech Soup gave us inexpensive access to licenses to get everyone up to Pro.

Then we needed to make sure the internet connection and internal networking at the site was sufficient to take their data to the cloud. We bumped up the internet speed and overhauled the internal network, replacing a couple of consumer-grade unmanaged switches and access points with a Ubiquiti UniFi solution for the firewall/router, network switch, and access points. This allows me and key church staff to remotely manage the network, as the UniFi controller operated on an Amazon Web Services EC2 instance (t2.micro). This new network also gave the church the ability to offer guest wifi access without compromising their office systems.

The next step was to join everyone to the Azure domain provided by Office 365. At this point, all e-mail was still on Google Apps, until we made the cutover.

Once we had login authentication in place, I set about building the file sharing infrastructure. OneDrive seemed to be the obvious solution, as they were already using a shared OneDrive For Business account.

One of OneDrive’s biggest challenges is that, like FedEx, it is actually several different products trying to behave as a single, seamless product. At this, OneDrive still misses the mark. The OneDrive brand consists of the following:

  • OneDrive Personal
  • OneDrive for Business
  • OneDrive for Business in Office 365 (a product formerly known as Groove)
  • Sharepoint Online

All the OneDrive for Business stuff is Sharepoint/Groove under the hood. If you’re not on Office 2016, you’ll want to make the upgrade, because getting the right ODB client in previous versions of Office is a nightmare. Once you get it sorted, it generally works. If you’ve got to pay full price for O365, I would recommend DropBox for Business as an alternative. But it’s hard to beat the price of Office 365 when you’re a small business.

It is very important to understand some of the limitations of OneDrive for Business versus other products like DropBox for Business. Your “personal” OneDrive for Business files can be shared with others by sending them a link, and they can download the file, but you can’t give other users permission to modify them and collaborate on a document. For this, you need to go back to the concept of shared folders, and ODB just doesn’t do this. This is where Sharepoint Online comes in to play.

Naturally, this being Sharepoint, it’s not the easiest thing in the world to set up. It’s powerful once you get it going, but I wasn’t able to simply drop all the shared files into a Sharepoint document library — There’s a 5000-file limit imposed by the software. Because the church’s shared files included a photo archive, there were WAY more than 5000 files in it.

Sharepoint is very picky about getting the right information architecture (IA) set up to begin with. Some things you can’t change after the fact, if you decide you got them wrong. Careful planning is a must.

What I ended up doing for this church is creating a single site collection for the whole organization, and several sites within that collection for each ministry/volunteer team. Each site in Sharepoint has 3 main security groups for objects within a site collection:

  • Visitors (Read-Only)
  • Members (Read/Write)
  • Owners (Read/Write/Admin)

In Office 365, much as it is with on-premises, you’re much better off creating your security groups outside of Sharepoint and then adding those groups to the security groups that are created within Sharepoint. So in this case, I created a “Worship Production” team, added the team members to the group, and then added that group to the Worship Site Owners group in Sharepoint. The Staff group was added to all the Owners groups, and the visitors group was left empty in most cases. This makes group membership administration substantially easier for the on-site admin who will be handling user accounts most of the time. It’s tedious to set up, but once it’s going, it’s smooth sailing.

Once the security permissions were set up for the various team sites, I went into the existing flat document repository and began moving files to the Sharepoint document libraries. The easiest way to do this is to go to the library in Sharepoint, and click the “Sync” button, which then syncs them to a local folder on the computer, much like OneDrive (although it’s listed as Sharepoint). There is no limit to how many folders you can sync to the local machine (well, there probably is, but for all practical purposes, there isn’t). From there it’s a matter of drag and drop. For the photos repository, I created a separate document library in the main site, and told Sharepoint it was a photo library. This gives the user some basic Digital Asset Management capabilities such as adding tags and other metadata to each picture in the library.

So far, it’s going well, and the staff enjoys having access to their Sharepoint libraries as well as Microsoft Office on their mobile devices (iOS and Android). Being able to work from anywhere also gives this church some easy business continuity should a disaster befall the facility — all they have to do is relocate to the local café that has net access, and they can continue their ministry work. Their data has now been decoupled from their facility. I have encountered dozens of churches over the years whose idea of data backup is either “what backup?” or a hard drive sitting next to the computer 24×7, which is of no use if the building burns to the ground or is spontaneously relocated to adjacent counties by a tornado. The staff doesn’t have to worry about the intricacies of running Exchange or Sharepoint on Windows Small Business Server/Essentials. Everything is a web-based administrative panel, and support from Microsoft is excellent in case there’s trouble.

If you’re interested in how to take your church or small business serverless, contact me and I’ll come up with a custom solution.

Haiti Mission Trip… From my couch!

July 16, 2010 |   |  Comment  |  Haiti

This week, I’ve been assisting our mission team in Haiti with networking upgrades for the Guest House. I really wanted to go on this trip, but there’s way too much going on back at Resurrection. So I get to do my part through the magic of the Internet.

With the help of Liz and Bryon on the ground, as well as Thomas, our local IT guy there, we got remote management enabled on the Sonicwall, and from there I was able to reconfigure it for Dynamic DNS, WAN failover to the satellite when the WiMax link goes out.

The following day, I got word from the team that the failover works like a champ and that performance is much improved. Now we have a static IP on the WiMax link, so we can remote into the device when our teams aren’t there.

The other piece that needed to happen was to secure the wireless so that folks in the neighbourhood can’t mooch the limited bandwidth at the guest house. We tried to do WPA, but realized afterward that you can’t do WDS and WPA on a Ubiquiti radio because the MAC addresses are encrypted in WPA. Going to have to fall back to WEP. Key management isn’t nearly as easy with WEP, but it is what it is. Maybe Ubiquiti isn’t the solution here. That will be for a future team to figure out.